Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0005 ✕ technique: T1098 ✕

Show ATT&CK heatmap
  • Azure application URI modification Informational Identity Threat Module 1 variation

    An identity added or updated an Azure application's URI.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.

    Variations

    Suspicious Azure application URI modification

    Low overridden

    An identity added or updated an Azure application's URI. overridden

  • Azure application credentials added Informational Identity Threat Module 2 variations

    An identity added credentials to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.

    Variations

    Suspicious credential operation on an Azure application

    Medium overridden

    An identity added a certificate to an Azure application in a suspicious way. overridden

    Unusual certificate operation on an Azure application

    Low overridden

    An identity added a certificate to an Azure application with some unusual parameters. overridden

  • Azure device code authentication flow used Informational Identity Analytics 3 variations

    An Azure AD login was performed with device code flow.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: Azure Audit Log
    Attacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.
    Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.

    Variations

    Suspicious Azure device code authentication flow used by an Azure AD privileged user

    Medium overridden

    An Azure AD login was performed with device code flow. overridden

    Suspicious Azure device code authentication flow used

    Low overridden

    An Azure AD login was performed with device code flow. overridden

    Azure device code authentication flow used by an Azure AD privileged user

    Low overridden

    An Azure AD login was performed with device code flow. overridden